Along with development of network technologies in recent years, computers serving as client terminals have been connected to various networks. Accordingly, damages by computer viruses and the like and damages caused by intrusion of hackers and crackers have been increasing. Thus, security measures for client terminals have become important.
Moreover, execution of prohibited software within a subnetwork by a client terminal can make subnetwork security vulnerable. Moreover, sometimes it may be desirable to limit the communication services that are available to specific computers. For example, in an educational institution it may be desirable to restrict communication services available to students that are not suitable from an educational standpoint. In addition, minimizing unnecessary connections makes it possible to use network resources more effectively. Thus, it may be preferable that a network administrator or a service provider be able to restrict communication services accessible to computers connected to a subnetwork, in order to control access to servers by computers lacking security measures, the use of prohibited software, and the like.
A computer lacking security measures may require the installation of a virus pattern file or a security patch provided by a server over a local area network (LAN). Here, such a computer is called a “computer to be controlled.” However, in this situation the computer to be controlled lacks security measures. Thus, it is preferable to be able to restrict the availability of all usual communication services using the server and the LAN, in order to prevent damage caused by virus and worm infection, and the like. Specifically, for the computer to be controlled, it is desirable that only the communication services needed for security measures be executed, and that other communication services irrelevant to the security measures, such as access to files and use of server applications, be restricted.
Restrictions on communication services can be provided by a firewall by capturing packets that flow between a PC (personal computer) and a server, and examining the contents of the packets (see, for example, Japanese Published Unexamined Patent Application No. 2003-273936). Japanese Published Unexamined Patent Application No. 2003-273936 teaches that packets may be filtered by a firewall between a terminal and a central server.
If all communications of a computer to be controlled pass through the firewall, communication services of the computer to be controlled can be restricted using the method of Japanese Published Unexamined Patent Application No. 2003-273936. However, when the computer to be controlled is connected inside a subnetwork such as LAN behind the firewall, so that communication is completed within the network without passing through the firewall, it is not possible to restrict a communication service in this way.
Another way to restrict communication services is by using network devices called layer 3 switches and layer 7 switches. The layer 3 switch and the layer 7 switch may be, for example, switches capable of controlling the destination of a packet according to an application level protocol. Thus, a specific communication service can be restricted by permitting or blocking communication with a server by acquiring a packet from a computer to be controlled, and recognizing the packet accordingly. However, this method of restricting communication service requires the use of layer 3 or layer 7 switches for all the switches or hubs throughout a subnetwork.
In principle, an intelligent switch could be used; however, an intelligent switch can only block a packet, and cannot restrict a communication service.
Further, it is preferable that an administrator of the subnetwork be able to restrict communication service at any arbitrary time. For example, when a new virus circulates, it is preferable that a communication service be restricted again, even though security measures have been fully implemented previously and the communication service is not restricted. It is preferable to be able to remove the restriction quickly, once security measures for the new virus are fully implemented.
Thus, as described above, there is a need for a way of restricting communication services of computers behind firewalls.